• United States




Why CISOs need to put attackers in the psychologist’s chair

Nov 15, 20174 mins
CybercrimeHackingTechnology Industry

Can the TV show 'Mr. Robot' teach us anything useful about how to deal with cybercrime?

Man laying on psychiatrists couch getting therapy
Credit: Thinkstock

With season three of “Mr. Robot” now on our screens we are in for another Hollywood-eye view into the murky world of cybercrime. 

The series’ main character, Elliot Alderson, a network technician by day and hacker by night, meets all our preconceived notions of a cybercriminal – young, male, introverted, and surgically attached to his black hoody. But stereotypes aside, “Mr. Robot” is hailed by many in the cyber security world as the most realistic portrayal of hacker culture to-date, could it potentially provide some insight into the psychology of cyber criminals?

Understanding the motivation and intent behind cyberattacks is as much a part of fighting cybercrime as is using sophisticated technologies to detect and eliminate threats.

After all, cyber criminals use psychological manipulation to increase the effectiveness of their activities by preying upon human emotions of fear, anger, and embarrassment with ransomware attacks or phishing attacks exploiting the overwhelmed executive. As such, there is no reason why CISOs should not turn the tables and leverage psychology to identify key trends and behaviors to combat these criminal practices.

The key motivations behind cybercrime can be broken down into three broad categories:

Financial gain

The most obvious motivation behind cybercrime has traditionally been financial gain – both directly in the form of ransom payments and infiltrating financial systems, or indirectly, including stealing valuable data to be sold. To some, cybercrime is simply a way of making a living and is often more lucrative than using their skills for legitimate activities. Participants are lured into groups or networks by the promise of financial reward, often without fully understanding the legal or ethical implications of what they are doing.

Political or social ideology

Ideology is a second motivation for cybercrime, illustrated by a high-profile hack in 2014, which forced Sony Pictures to pull a controversial movie. These types of activities are often referred to as hacktivism –  supposedly a more socially acceptable form of cyber criminality – and attacks are usually carried out in response to a perceived injustice. The “fsociety” network depicted in “Mr. Robot” places itself in this hacktivist category, aiming to eradicate consumer debt by encrypting the financial data of a global corporation. 


In a similar way to trolling, cyberattacks can be carried out purely for the thrill. Perpetrators may be bored, wanting to rebel against the establishment, or seeking to outsmart their victims. And the perceived glamour and secretiveness of a hacker network – especially one with distinct branding like Anonymous – can seem exciting. Belonging to such a group makes individuals feel they are not personally responsible for their actions, and the apparent anonymity of the internet gives the impression those actions are less likely to have legal or social ramifications.     

Psychological profiling within cybercrime is like that of other types of crime. Using geographic profiling to look at where the offender lives, works, and plays is often a less reliable indicator given today’s edgeless networks, but similar patterns do exist in the digital world, especially when the individual is part of an organized network in constant communication. Inductive profiling, which uses behavioral patterns and demographic characteristics can be combined with deductive profiling which uses digital forensic evidence. 

Security researchers – also known as white-hat hackers – employed by penetration testing companies to try to breach the defenses of systems and identify vulnerabilities that need fixing, provide CISOs with a view into the hacking underworld. As well as intentionally hacking into systems, these researchers can follow and interact with criminal communities to understand trends and predict attacks.

There can be a fine line between legitimate cyber security investigation and criminal behavior, evidenced by the arrest of Marcus Hutchins – the British security researcher credited with stopping the WannaCry ransomware – on suspicion of creating a banking virus. But the experiences of security researchers can be invaluable in better understanding the mind of their black-hat counterparts. In fact, the apparent technological authenticity of Mr. Robot is credited to writer and technology producer, Kor Adana, who was formerly employed to test the security of car computers by attempting to hack into them.

The latest season of “Mr. Robot” is pure entertainment, but there is a serious message buried within its plot. The more intelligence CISOs have about cyber threats and the people behind them, the more likely these threats are to be detected and remediated quickly. By combining a deeper understanding of the psychological motivation behind cybercrime, security officers can finally get one step ahead of cyber criminals with technological tools to detect and prevent attacks – whether they’re wearing their stereotypical black hoodies or not.


Kirsten Bay is President and CEO of Cyber adAPT, a Gartner 2017 Cool Vendor.

Throughout her 25-year cyber security career, Kirsten has sat on a United States congressional committee developing cyber policies, initiatives and recommendations for the intelligence community. She has also collaborated on information studies for MIT-Harvard and several federal agencies. In the UK, she has contributed her insight to a parliamentary subcommittee on recreating trust in the global economy.

Kirsten founded Cyber adAPT in 2015. Cyber adAPT secures every segment of the digital enterprise, finding more attacks more quickly than alternative approaches. Its patented detection platform, skwiid, monitors network traffic in real-time, detecting threats between mobile devices, IoT connections, cloud services, and the core network.

The opinions expressed in this blog are those of Kirsten Bay and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.